For the past two to three years there have been discussions on the tabling of Jamaica’s Data Protection Act (“DPA”) for the purposes of ensuring greater accountability where management of personal data is concerned. The most recent update in October 2016 was that it should be tabled in Parliament in 2017. While the DPA is yet to be tabled, for more reasons that one, we should anticipate its passing as it will be a step in the right direction for ensuring that Jamaica is on par with international data management and protection standards.
The dilemma
With increased talks of hacking and data manipulation and the ease of doing business online to gain greater access to products and services, data security should be of concern to everyone. In fact, research shows that the average individual trades in thousands of kilobytes of personal data on a daily basis for the sake of accessing products and services. Consequently, entities store and have access to vast amounts of metadata on individuals who interface with them on a daily basis. Metadata includes, but is not limited to, your geographical location, the sender and recipient of your calls and emails, and the time and duration of your web connections.The average Jamaica therefore unwittingly gives entities access to his/her personal data on a daily basis, without the capability of monitoring such data and the persons who have access to such data.
Constitutional framework
For the very first time in 2011, Jamaica explicitly recognised the right to privacy in the Charter of Fundamental Rights and Freedoms (Constitutional Amendment) Act, 2011 (“the Charter”). The Charter now expressly provides for the protection of private and family life and the privacy of communication. Our local courts are yet to pronounce on the scope and content of the right and whether it will be interpreted to regulate entities that store personal data.Our local Supreme Court has however ruled that the Charter applies horizontally, as between one private citizen and another private citizen. A company or individual may therefore be liable for breaches of an individual’s Constitutional right, where the nature of the right and the duty imposed by the right are of such that the right applies horizontally. The right to privacy arguably falls into the category of rights which are enforceable horizontally because of the categories of persons or entities who may have access to personal data for one reason or another.Though the Charter guarantees the right to privacy, there is little legal framework locally which supports and guarantees the right. The DPA will therefore be a step in the right direction as it will be aimed at protecting the right to privacy through governing the collection, processing, storage, and disclosure of personal information.
Protection of personal data under the DPA
We have yet to see a draft of what the DPA will look like. However, there are several similar pieces of legislation in other jurisdictions. For example, in the United Kingdom, the 1998 Data Protection Act provides for both civil and criminal remedies. As one example, the Act provides that a person may be compensated for distress or where he suffers damage as a result of breaches of the Act.In the Caribbean, Trinidad and Tobago passed its Data Protection Act in 2011, Antigua and Barbuda in 2013, Bahamas in 2007, while Barbados has had a Data Protection Act in its draft stages since 2005. All these pieces of legislation have similar terms to those in the UK Data Protection Act.Locally, we have only been advised of what the DPA will contain in general terms. It is assumed however that our DPA will adopt and make use of some of the relevant and applicable provisions of Data Protection Acts in other jurisdictions.Under the local DPA it is envisioned that individuals will have more control over their personal data. They will be able to request certain information under the DPA, including information on the category of personal data which is stored, the purpose for which the data is being stored and processed, and the class of persons who have access to the information. In addition to those rights, the individuals will be able to request that incomplete or inaccurate information relating to them be edited for accuracy.The DPA will also prevent the disclosure of personal information to third parties without prior disclosure and the informed consent of the individual concerned.
Obligations for corporate entities
Perhaps one of the more key concerns is that entities which currently collect and store personal data locally will be under an obligation to maintain effective data management systems to ensure the integrity of personal data that is stored. It is expected under the DPA that private and public sector entities will now implement the necessary technical and institutional support to ensure that there is greater protection of personal data within their custody or control.These obligations will necessarily involve the employment of individuals who are trained and equipped in data management. It will also involve the acquisition and maintenance of proper data management equipment and software.Of course an alternative would be for the company to contract with another entity that is better equipped to deal with data management. However, in the event that the company has contracted for another entity to store and process data, it will have the primary obligation of ensuring that that third party has an effective data management system in place.
Litrow Hickson is an Associate at Myers, Fletcher and Gordon and is a member of the firm’s Litigation Department. Litrow may be contacted via litrow.hickson@mfg.com.jm or www.myersfletcher.com This article is for general information purposes only and does not constitute legal advice